Category: updates

Windows 7 and Windows Server 2008 users will imminently have to deploy a mandatory patch if they want to continue updating their systems, as spotted by Mary Jo Foley.

Currently, Microsoft's Windows updates use two different hashing algorithms to enable Windows to detect tampering or modification of the update files: SHA-1 and SHA-2. Windows 7 and Server 2008 verify the SHA-1 patches; Windows 8 and newer use the SHA-2 hashes instead. March's Patch Tuesday will include a standalone update for Windows 7, Windows Server 2008 R2, and WSUS to provide support for patches hashed with SHA-2. April's Patch Tuesday will include an equivalent update for Windows Server 2008.

The SHA-1 algorithm, first published in 1995, takes some input and produces a value known as a hash or a digest that's 20 bytes long. By design, any small change to the input should produce, with high probability, a wildly different hash value. SHA-1 is no longer considered to be secure, as well-funded organizations have managed to generate hash collisions—two different files that nonetheless have the same SHA-1 hash. If a collision could be generated for a Windows update, it would be possible for an attacker to produce a malicious update that nonetheless appeared to the system to have been produced by Microsoft and not subsequently altered.

The ill-fated Windows 10 October 2018 Update has hitherto been offered only to those Windows users that manually sought it, either by using the dedicated upgrade and media creation tools or by manually checking for update in Windows Update. Three months after its initial release, Microsoft has at last started pushing it to Windows users automatically.

The update was originally withdrawn because of a data loss bug. A month after the initial release, the bug was fixed and the fixed update was made available. Even this release was limited, with a number of blocks in place due to known incompatibilities. As described above, it was then only offered to those taking certain manual steps to update their machines. One month ago, these blocks were largely removed.

Even with automatic deployment and installation now enabled, the beleaguered update is still rolling out in phases. Initially, it will be offered to spaces where Microsoft is most confident that the update will be trouble-free—machines with configurations already known and tested. As the tap is slowly opened more and the update is made available to a wider range of hardware, the company will use operating system telemetry to detect any lingering incompatibilities with device drivers or unusual software.

On November's Patch Tuesday two weeks ago, Microsoft released a bunch of updates for Office to update its Japanese calendars. In December 2017, Emperor Akihito announced that he would abdicate and that his son Naruhito would take his role as emperor. Each emperor has a corresponding era name, and calendars must be updated to reflect that new name. The Office patches offer updates to handle this event.

Two of these updates, KB2863821 and KB4461522, both for Office 2010, are apparently very broken, causing application crashes. The company has suspended delivery of the patches, but the problem is so severe that Microsoft is recommending that anyone who has installed the updates already should uninstall them pronto (see instructions for KB2863821 here and for KB4461522 here).

(credit: Marcus W / Flickr)
Windows Server 2008 and 2008 R2, as well as SQL Server 2008 and 2008 R2, are due to move out of extended support over the next few years—SQL Server in July 2019 and Windows Server in January 2020. For organizations still …

Windows Server 2008 and 2008 R2, as well as SQL Server 2008 and 2008 R2, are due to move out of extended support over the next few years—SQL Server in July 2019 and Windows Server in January 2020. For organizations still using that software, this offers a few options: keep using the software and accept that it won't receive any more security updates, migrate to newer equivalents that are still supported, or pay Microsoft for a custom support contract to continue to receive security updates beyond the cutoff dates.

Today, Microsoft added a fourth option: migrate to Azure. Microsoft is extending the support window by three years (until July 2022 for SQL Server, January 2023 for Windows Server) for workloads hosted on Azure in the cloud. This extended support means that customers that make the switch to the cloud will receive another three years of security fixes. After those three years are up, customers will be back to the original set of choices: be insecure, upgrade, or pay for a custom support contract.

Microsoft isn't requiring customers to demonstrate that they have any kind of migration plan in place, and this support scheme incurs no additional costs beyond those already imposed by running software on Azure in the first place.